Skip to content

opensearch-dashboards-3: bump to v3.3, follow tags for future updates, remediate GHSA-w48q-cv73-mx4w #75522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ca-scribner wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

opensearch-dashboards-3: bump to v3.3, follow tags for future updates, remediate GHSA-w48q-cv73-mx4w #75522

ca-scribner wants to merge 3 commits into from

Conversation

@ca-scribner
Copy link
Member

@ca-scribner ca-scribner commented Dec 10, 2025
edited
Loading

Bumps the opensearch-dashboards-3 package to v3.3 manually because upstream forgot to actually publish a Github release. The Opensearch blog post for release confirms the product was released, and we see a proper release issued for Opensearch itself.

As this is the second time in 6 months the Opensearch Dashboard has missed publishing a release, and because they've always cut tags accurately, we also set our automation to follow their tags for future updates.

Also remediates GHSA-w48q-cv73-mx4w, which was previously remediated for opensearch-dashboards-2. This is bundled together with the package version bump as we know the CVE will exist.

@ca-scribner
opensearch-dashboards-3: bump to v3.3, follow tags for future updates
f8294ad 
Bumps the opensearch-dashboards-3 package to v3.3 manually because upstream forgot to actually publish a Github release.  The [Opensearch blog post for release](https://opensearch.org/blog/explore-opensearch-3-3/) confirms the product was released, and we see a [proper release issued for Opensearch itself](https://github.com/opensearch-project/OpenSearch/releases/tag/3.3.0).

As this is the second time in 6 months the Opensearch Dashboard has missed publishing a release, and because they've always cut tags accurately, we also set our automation to follow their tags for future updates.
@ca-scribner
opensearch-dashboards-3: update package pins for GHSA-w48q-cv73-mx4w
bab4a68 
Pin `@modelcontextprotocol/sdk==1.24.0` to remediate GHSA-w48q-cv73-mx4w.

This change is also proposed upstream in opensearch-project/OpenSearch-Dashboards#10995, where the CI is passing but a human has not yet approved or merged.
@ca-scribner ca-scribner requested a review from a team December 10, 2025 01:21
@ca-scribner ca-scribner changed the title opensearch-dashboards-3: bump to v3.3, follow tags for future updates opensearch-dashboards-3: bump to v3.3, follow tags for future updates, remediate GHSA-w48q-cv73-mx4w Dec 10, 2025
@octo-sts
Copy link
Contributor

octo-sts bot commented Dec 10, 2025

🩹 Build Failed: Patch Application Failed

Hunk #1 FAILED at 127. 1 out of 1 hunk FAILED -- saving rejects to file package.json.rej

Build Details

Category Details
Build System melange
Failure Point patch step during package build pipeline

Root Cause Analysis 🔍

The patch CVE-2025-9287-fix.patch failed to apply to the package.json file. Hunk #1 of the patch could not be applied at line 127, indicating that the target code in package.json has changed from what the patch expects, making the patch incompatible with the current version of the OpenSearch-Dashboards source code at tag 3.3.0.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: opensearch-dashboards-3.yaml

  • remove (patch step)
    Original:
  - uses: patch
    with:
      patches: CVE-2025-9287-fix.patch

Content:

Remove the patch step that applies CVE-2025-9287-fix.patch since it's incompatible with the current version
  • add (after line with cipher-base dependency addition)
    Original:
      # fix CVE-2025-9287
      devDependencies='{"cipher-base": "^1.0.5"}'
      jq --argjson devDependencies "$devDependencies" '.devDependencies += $devDependencies' package.json > temp.json && mv temp.json package.json

Replacement:

      # fix CVE-2025-9287
      resolutions='{"cipher-base": "^1.0.5"}'
      jq --argjson resolutions "$resolutions" '.resolutions += $resolutions' package.json > temp.json && mv temp.json package.json

Content:

Replace the devDependencies approach with resolutions to ensure cipher-base version is enforced across all dependency trees

File: CVE-2025-9287-fix.patch

  • delete
    Content:
Delete the entire CVE-2025-9287-fix.patch file since it's incompatible with OpenSearch-Dashboards 3.3.0
Click to expand fix analysis

Analysis

The similar fixes all follow a consistent pattern: when patches fail to apply due to version changes, the solution is to replace the incompatible patch with a new one that works with the current version, or to directly modify the package.json using inline JSON manipulation. All three examples removed failed patches (CVE-2025-7783-fix.patch, 2025-07-23-CVEs.patch) and replaced them with either new compatible patches or direct package.json modifications using jq commands. The fixes updated package versions, changed expected commits, and used runtime dependency resolution rather than patches when the source code had changed significantly.

Click to expand fix explanation

Explanation

This fix should work because it follows the exact pattern used in all similar failures. The root cause is that CVE-2025-9287-fix.patch was created for a different version of OpenSearch-Dashboards and the package.json structure has changed at line 127. Instead of trying to fix the patch, we remove it entirely and use the existing inline jq approach that's already being used successfully for other CVE fixes in the same file. The change from devDependencies to resolutions is important because resolutions provides stronger version enforcement across the entire dependency tree, which is more appropriate for security fixes. This approach is already proven to work in the build pipeline since similar CVE fixes are applied using the same method.

Click to expand alternative approaches

Alternative Approaches

  • Update the CVE-2025-9287-fix.patch to match the current package.json structure at line 127, but this requires manual inspection of the current file structure
  • Upgrade to a newer version of OpenSearch-Dashboards where the patch might be compatible, but this could introduce other breaking changes
  • Apply the cipher-base fix as a direct dependency rather than devDependencies or resolutions, but this might not provide adequate security coverage across transitive dependencies

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 10, 2025
@ca-scribner ca-scribner force-pushed the opensearch-dashboard-3/use-tags branch from b6f0a44 to 79a45fc Compare December 10, 2025 01:46
@ca-scribner ca-scribner force-pushed the opensearch-dashboard-3/use-tags branch from 79a45fc to afc93ad Compare December 10, 2025 01:46
@powersj powersj removed the request for review from a team December 15, 2025 23:51
@powersj
Copy link
Member

powersj commented Dec 15, 2025

Removing sustaining from reviewer!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ca-scribner @powersj